?
Solved

Connect to Spoke  by passing through the Hub with Cisco VPN Client

Posted on 2009-12-29
2
Medium Priority
?
776 Views
Last Modified: 2012-05-08
I have setup the configuration on the Spoke and Hub ASA such that a remote Cisco VPN client will first conect to Hub and then  access the resource in Spoke. Hub and Spoke has already setup with IPSec. I have also put the necessary setting for "U-turn" on both Hub and Spoke. However, I couldn't make it work. Attached please find the details, does anyone have any idea  ? Thanks

192.168.150.0 : IP subnet in Hub
192.168.1.0     : IP subnet in Spoke
192.168.4.0     : IP subnet assigned to Cisco VPN client by Hub ASA.
Spoke Site
---------------

ASA Version 7.2(3)
!
hostname abcHongKong
domain-name abc.net
enable password DB49usN encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address x.y.z.234 255.255.255.248
!
interface Vlan3
 nameif dmz
 security-level 50
 no ip address
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd DB49usNvKscN encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name abc.net
object-group network ERP_Servers
 network-object host 192.168.150.34
 network-object host 192.168.150.35
 network-object host 192.168.150.39
 network-object host 192.168.150.40
access-list inside extended permit ip any any
access-list No-Nat extended permit ip 192.168.1.0 255.255.255.0 192.168.150.0 255.255.255.0
access-list No-Nat extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list 852-Dyxn extended permit ip 192.168.1.0 255.255.255.0 192.168.150.0 255.255.255.0
access-list 852-Dyxn extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list 101 extended permit icmp any any echo-reply
access-list 101 extended permit icmp any any source-quench
access-list 101 extended permit icmp any any unreachable
access-list 101 extended permit icmp any any time-exceeded
access-list CONNS-ACL extended permit udp any any
access-list 120 extended permit ip 192.168.1.0 255.255.255.0 192.168.150.0 255.255.255.0
access-list 120 extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit a.b.c.160 255.255.255.224 outside
icmp deny any echo outside
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list No-Nat
nat (inside) 1 0.0.0.0 0.0.0.0
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 x.y.z.233 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:01:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection tcpmss 1200
crypto ipsec transform-set 3des esp-3des esp-md5-hmac
crypto ipsec df-bit clear-df outside
crypto map mymap 30 match address 852-Dyxn
crypto map mymap 30 set peer a.b.c.162
crypto map mymap 30 set transform-set 3des
crypto map mymap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp nat-traversal  30
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns 192.168.150.31 192.168.150.32
dhcpd lease 259200
dhcpd domain abc.net
!
dhcpd address 192.168.1.100-192.168.1.150 inside
dhcpd enable inside
!

priority-queue outside
  queue-limit   80
  tx-ring-limit 488
!
class-map TG-DataCentre
 description "QoS reserved for DataCentre "
 match access-list 120
class-map inspection_default
 match default-inspection-traffic
class-map CONNS-MAP
 match access-list CONNS-ACL
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
 class CONNS-MAP
  set connection per-client-max 150
policy-map QoS
 class TG-DataCentre
  priority
 class class-default
  police output 900000
!
service-policy global_policy global
service-policy QoS interface outside
username abcadmin password uRQ/wQ encrypted privilege 15
tunnel-group a.b.c.162 type ipsec-l2l
tunnel-group a.b.c.162 ipsec-attributes
 pre-shared-key *
prompt hostname context

Hub Site
-------------
ASA Version 8.0(3)
!
hostname ciscoasa
domain-name abc.net
enable password DB49usNvKsc encrypted
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address a.b.c.162 255.255.255.224
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.150.1 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 nameif csetest
 security-level 0
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
passwd DB49usNvKsc1 encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name abc.net
same-security-traffic permit intra-interface
access-list inside extended permit ip any any
access-list outside extended permit tcp any host a.b.c.164 eq www
access-list outside extended permit tcp any host a.b.c.164 eq https
access-list outside extended permit tcp any host a.b.c.169 eq www
access-list outside extended permit tcp any host a.b.c.169 eq citrix-ica
access-list outside extended permit icmp any host a.b.c.170
access-list outside extended permit icmp any host a.b.c.170 echo-reply
access-list outside extended permit tcp any host a.b.c.170 eq www
access-list outside extended permit tcp any host a.b.c.170 eq citrix-ica
access-list outside extended permit tcp any host a.b.c.170 eq 2598
access-list outside extended permit tcp any host a.b.c.171 eq www
access-list outside extended permit tcp any host a.b.c.171 eq citrix-ica
access-list outside extended permit udp any host a.b.c.171 eq 1604
access-list outside extended permit tcp any host a.b.c.171 eq 2598
access-list No-Nat extended permit ip 192.168.150.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list No-Nat extended permit ip 192.168.150.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list No-Nat extended permit ip 192.168.4.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 852-HKO extended permit ip 192.168.150.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 852-HKO extended permit ip 192.168.4.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu csetest 1500
mtu management 1500
ip local pool ipsecpool 192.168.4.100-192.168.4.150 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit a.b.c.160 255.255.255.224 outside
icmp deny any echo outside
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list No-Nat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) a.b.c.164 192.168.150.32 netmask 255.255.255.255
static (inside,outside) a.b.c.169 192.168.150.41 netmask 255.255.255.255
static (inside,outside) a.b.c.170 192.168.150.39 netmask 255.255.255.255
static (inside,outside) a.b.c.171 192.168.150.40 netmask 255.255.255.255
access-group outside in interface outside
access-group inside in interface inside
route outside 0.0.0.0 0.0.0.0 a.b.c.161 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set 3des esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto map mymap 30 match address 852-HKO
crypto map mymap 30 set peer x.y.z.234
crypto map mymap 30 set transform-set 3des
crypto map mymap 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map mymap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp nat-traversal 30
crypto isakmp ipsec-over-tcp port 10000
telnet 192.168.150.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
group-policy vpnclient internal
group-policy vpnclient attributes
 dns-server value 192.168.150.32 192.168.150.31
 vpn-idle-timeout 30
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value No-Nat
 default-domain value abcrenewables.net
username abcadmin password uRQ/wGqvi  encrypted privilege 15
username leu password OOY.OvxDqJ  encrypted
tunnel-group dc5510 type remote-access
tunnel-group dc5510 general-attributes
 address-pool ipsecpool
 authorization-server-group LOCAL
 default-group-policy vpnclient
tunnel-group dc5510 ipsec-attributes
 pre-shared-key *
tunnel-group x.y.z.234 type ipsec-l2l
tunnel-group x.y.z.234 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
prompt hostname context

Open in new window

0
Comment
Question by:AXISHK
2 Comments
 
LVL 25

Accepted Solution

by:
Cyclops3590 earned 2000 total points
ID: 26142678
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml#s2

try redoing your split tunnel.

access-list split-tunnel standard permit 192.168.150.0 255.255.255.0
access-list split-tunnel standard permit 192.168.1.0 255.255.255.0
group-policy vpnclient attributes
  split-tunnel network-list value split-tunnel

also, on the hub you should change the IP on the management interface so its not the same as the spoke subnet as that may mess up routing as well.

finally, you don't need this line

access-list No-Nat extended permit ip 192.168.4.0 255.255.255.0 192.168.1.0 255.255.255.0

this is because that line is only evaluated when coming in the inside interface which would never happen.  the packet comes in the outside interface, decrypted, evaluated to route back out the outside interface via the hub-spoke L2L, re-encrypted and routed to the spoke.

0
 

Author Comment

by:AXISHK
ID: 26143441
Thanks, already revised the configuration as per your advice but couldn't sucess.

Any further advise ?

Thanks


ASA Version 8.0(3)
!
hostname ciscoasa
domain-name ab.net
enable password DB49usNv  encrypted
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address a.b.c.162 255.255.255.224
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.150.1 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 nameif csetest
 security-level 0
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.6.1 255.255.255.0
 management-only
!
passwd DB49usNvKs encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name abc.net
same-security-traffic permit intra-interface
access-list inside extended permit ip any any
access-list outside extended permit tcp any host a.b.c.164 eq www
access-list outside extended permit tcp any host a.b.c.164 eq https
access-list outside extended permit tcp any host a.b.c.169 eq www
access-list outside extended permit tcp any host a.b.c.169 eq citrix-ica
access-list outside extended permit icmp any host a.b.c.170
access-list outside extended permit icmp any host a.b.c.170 echo-reply
access-list outside extended permit tcp any host a.b.c.170 eq www
access-list outside extended permit tcp any host a.b.c.170 eq citrix-ica
access-list outside extended permit tcp any host a.b.c.170 eq 2598
access-list outside extended permit tcp any host a.b.c.171 eq www
access-list outside extended permit tcp any host a.b.c.171 eq citrix-ica
access-list outside extended permit udp any host a.b.c.171 eq 1604
access-list outside extended permit tcp any host a.b.c.171 eq 2598
access-list No-Nat extended permit ip 192.168.150.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list No-Nat extended permit ip 192.168.150.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 852-HKO extended permit ip 192.168.150.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list split-tunnel standard permit 192.168.150.0 255.255.255.0
access-list split-tunnel standard permit 192.168.1.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu csetest 1500
mtu management 1500
ip local pool ipsecpool 192.168.4.100-192.168.4.150 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit a.b.c.160 255.255.255.224 outside
icmp deny any echo outside
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list No-Nat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) a.b.c.164 192.168.150.32 netmask 255.255.255.255
static (inside,outside) a.b.c.169 192.168.150.41 netmask 255.255.255.255
static (inside,outside) a.b.c.170 192.168.150.39 netmask 255.255.255.255
static (inside,outside) a.b.c.171 192.168.150.40 netmask 255.255.255.255
access-group outside in interface outside
access-group inside in interface inside
route outside 0.0.0.0 0.0.0.0 a.b.c.161 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.6.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set 3des esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto map mymap 30 match address 852-HKO
crypto map mymap 30 set peer x.y.z.234
crypto map mymap 30 set transform-set 3des
crypto map mymap 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map mymap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp nat-traversal 30
crypto isakmp ipsec-over-tcp port 10000
telnet 192.168.150.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd address 192.168.6.2-192.168.6.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
group-policy vpnclient internal
group-policy vpnclient attributes
 dns-server value 192.168.150.32 192.168.150.31
 vpn-idle-timeout 30
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split-tunnel
 default-domain value abc.net
username abcadmin password uRQ/ encrypted privilege 15
tunnel-group dc5510 type remote-access
tunnel-group dc5510 general-attributes
 address-pool ipsecpool
 authorization-server-group LOCAL
 default-group-policy vpnclient
tunnel-group dc5510 ipsec-attributes
 pre-shared-key *

tunnel-group x.y.z.234 type ipsec-l2l
tunnel-group x.y.z.234 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
prompt hostname context

Open in new window

0

Featured Post

Shaping tomorrow’s technology leaders, today

The leading technology companies all recognize the growing need for gender diversity. Through its Women in IT scholarship program, WGU is working to reverse this trend by empowering more women to earn IT degrees and become tomorrow’s tech-industry leaders.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question